Protection of personal data and smart health object
Smart health object (Connected personal objects ) collect data from users or their environment. This data is transmitted to an internet server proposed by the manufacturer of the object. Either directly or via the companion application of the object (installed on the smartphone or the tablet of the ‘user).
Data transferred to manufacturers’ Internet servers is stored in databases. This storage, beyond facilitating the remote and permanent access to its data, can also be exploited by the manufacturer. Or one of its partners for the production of statistics or studies related to the behaviors of the users.
The different types of data
Connected objects are subject to respect for privacy and the protection of personal data. The law imposes specific constraints on companies collecting these data:
Personal data known as “sensitive”: they “show, directly or indirectly, the racial or ethnic origin, the political, philosophical or religious opinions or the trade union membership of the persons, or are related to the health or the sexual life of them. “.
Personal data: they can be directly attached to an individual but do not fall within the scope of sensitive data. The manufacturers can thus free themself from certain constraints for their treatment and collection.
“non-personal” data: a type of data that does not allow the information stored to be linked to a specific individual (no email or postal address, no telephone number in the database).
Despite this framework, there is no legal definition of “health data” to harmonize the practices of manufacturers for the processing and collection of data from connected objects. Therefore, each manufacturer adopts the regulatory framework that it deems appropriate: anonymization of the collected data to be considered as non-personal data, to consider the collected data as non-sensitive to only fall under the frame of the personal data, or declaration of data of health to impose a maximum security of data …
The legal framework that applies to the company hosting the personal data (legally called the “Processing Manager”) is that of the place of residence where it is established. For example, if it is in Italy, the Italian regulatory framework will be applied.
Any user of a smart health object has:
a right to information (know the identity of the controller, the purpose of the treatment)
the right to object to his personal data being processed
a right to question the data controller about the types of processing carried out with his / her personal data
a right of rectification (modify, delete, lock access to his personal data)